Commit Graph

185 Commits

Author SHA1 Message Date
whyisjake 03372aee6e General: WordPress updates
* XML-RPC: Improve error messages for unprivileged users.
* External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
* Embeds: Disable embeds on deactivated Multisite sites.
* Coding standards: Modify escaping functions to avoid potential false positives.
* XML-RPC: Return error message if attachment ID is incorrect.
* Upgrade/install: Improve logic check when determining installation status.
* Meta: Sanitize meta key before checking protection status.
* Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.

Brings the changes from [49380,49382-49388] to the 3.9 branch.

Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.

Built from https://develop.svn.wordpress.org/branches/3.9@49407


git-svn-id: http://core.svn.wordpress.org/branches/3.9@49166 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-29 19:15:11 +00:00
Pascal Birchler c2f264d25f Adjust post meta checks
Merges [40692] to the 3.9 branch.

Built from https://develop.svn.wordpress.org/branches/3.9@40701


git-svn-id: http://core.svn.wordpress.org/branches/3.9@40564 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 08:54:15 +00:00
Pascal Birchler a81079c403 Whitelist post arguments in XML-RPC
Merges [40677] to the 3.9 branch.

Built from https://develop.svn.wordpress.org/branches/3.9@40686


git-svn-id: http://core.svn.wordpress.org/branches/3.9@40549 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 08:29:15 +00:00
Dominik Schilling fdc6949e64 XMLRPC: Don't allow private posts to be sticky.
Merge of [33325], [33612], and [34135] to the 3.9 branch.

See #20662.
Built from https://develop.svn.wordpress.org/branches/3.9@34155


git-svn-id: http://core.svn.wordpress.org/branches/3.9@34123 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-14 23:02:14 +00:00
Drew Jaynes 5e51ea9940 Priority fixes for various existing hook documentation.
Props kpdesign.
See #26869

Built from https://develop.svn.wordpress.org/trunk@28083


git-svn-id: http://core.svn.wordpress.org/trunk@27914 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-04-12 00:01:15 +00:00
Andrew Nacin 58ca03f8ea XML-RPC: Fix bracing of conditionals around doc blocks.
props redsweater, DrewAPicture.
fixes #27506.

Built from https://develop.svn.wordpress.org/trunk@28065


git-svn-id: http://core.svn.wordpress.org/trunk@27897 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-04-10 21:04:14 +00:00
Andrew Nacin a177d8bf18 Don't pass variables by reference.
props markjaquith.
fixes #27656.

Built from https://develop.svn.wordpress.org/trunk@27957


git-svn-id: http://core.svn.wordpress.org/trunk@27787 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-04-05 18:17:14 +00:00
Andrew Nacin d8622b39d6 Forward pingback IP during pingback verification.
props tellyworth, nacin.
fixes #27613.

Built from https://develop.svn.wordpress.org/trunk@27872


git-svn-id: http://core.svn.wordpress.org/trunk@27703 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-31 20:43:18 +00:00
Drew Jaynes c2ebd66843 Inline documentation for hooks in wp-includes/class-wp-xmlrpc-server.php.
Props kpdesign and DrewAPicture.
Fixes #27506.

Built from https://develop.svn.wordpress.org/trunk@27730


git-svn-id: http://core.svn.wordpress.org/trunk@27567 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-26 05:44:16 +00:00
Drew Jaynes 8efd225e4d Inline documentation for hooks in wp-admin/includes/file.php.
Fixes #27429.

Built from https://develop.svn.wordpress.org/trunk@27672


git-svn-id: http://core.svn.wordpress.org/trunk@27515 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-24 02:45:15 +00:00
Andrew Nacin 5d77f8a18a XML-RPC: In wp.editPost, Remove all terms in a taxonomy when an empty array is explicitly passed.
props jstraitiff, maxcutler.
fixes #26686.

Built from https://develop.svn.wordpress.org/trunk@27554


git-svn-id: http://core.svn.wordpress.org/trunk@27397 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-15 05:09:14 +00:00
Andrew Nacin a9e69869c9 XML-RPC: Include 'sticky' in the struct returned from metaWeblog.getRecentPosts.
Using wp.getPosts is preferred and non-WP XML-RPC APIs are no longer actively maintained. This is simply for parity with existing MW methods.

props soulseekah.
fixes #26679.

Built from https://develop.svn.wordpress.org/trunk@27553


git-svn-id: http://core.svn.wordpress.org/trunk@27396 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-15 05:05:15 +00:00
Andrew Nacin eb19a09f5b Avoid saving slashed data in XML-RPC's wp.setOptions.
props danielbachhuber.
fixes #22936.

Built from https://develop.svn.wordpress.org/trunk@27551


git-svn-id: http://core.svn.wordpress.org/trunk@27394 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-15 04:47:13 +00:00
Drew Jaynes cb8951b0b3 Remove all `@package` and `@subpackage` PHPDoc tags not at the file- or class-levels in core.
See #27200.

Built from https://develop.svn.wordpress.org/trunk@27262


git-svn-id: http://core.svn.wordpress.org/trunk@27119 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-02-25 17:14:14 +00:00
Drew Jaynes cd8cedc40d First there were two, and now there are three -- in the @since versions that came before and that shall be. And so it will be, says nacin.
Props JustinSainton, SergeyBiryukov, DrewAPicture.
Fixes #26713.

Built from https://develop.svn.wordpress.org/trunk@26868


git-svn-id: http://core.svn.wordpress.org/trunk@26754 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-12-24 18:57:12 +00:00
Sergey Biryukov 74f77b85a6 Use get_current_site() instead of the $current_site global when possible.
props jeremyfelt.
fixes #25158.
Built from https://develop.svn.wordpress.org/trunk@26120


git-svn-id: http://core.svn.wordpress.org/trunk@26032 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-11-13 03:23:10 +00:00
Dominik Schilling 8688857816 Introduce show_in_menu for register_taxonomy.
Accepts boolean: true to show, false to hide. If not set, the default is inherited from show_ui.

fixes #20930.
Built from https://develop.svn.wordpress.org/trunk@25133


git-svn-id: http://core.svn.wordpress.org/trunk@25113 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-08-26 22:35:10 +00:00
Andrew Nacin 21a1fe8d4b Use wp_safe_remote_request() and friends instead of reject_unsafe_urls = true.
fixes #24646.



git-svn-id: http://core.svn.wordpress.org/trunk@24917 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-07-31 06:52:13 +00:00
Andrew Nacin 7f12e16e47 Limit pingback response size. fixes #4137. for trunk.
git-svn-id: http://core.svn.wordpress.org/trunk@24871 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-07-29 18:00:06 +00:00
Andrew Nacin 929def2359 XML-RPC: Recursively escape arrays as before, to avoid stomping nested objects. fixes #21767.
git-svn-id: http://core.svn.wordpress.org/trunk@24731 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-07-18 14:31:25 +00:00
Andrew Nacin 44f89293f3 Update XML-RPC comment. props DrewAPicture, fixes #24751.
git-svn-id: http://core.svn.wordpress.org/trunk@24721 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-07-17 20:19:06 +00:00
Andrew Nacin 69dbdc4951 Use wp_slash() instead of the DB layer in XML-RPC. see #21767.
git-svn-id: http://core.svn.wordpress.org/trunk@24716 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-07-16 14:38:54 +00:00
Andrew Nacin 50d0428d42 Avoid notice in XML-RPC when attaching uploads, when attachments do not have a guid in the DB. props ericmann, markoheijnen. fixes #18310.
git-svn-id: http://core.svn.wordpress.org/trunk@24639 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-07-10 06:11:12 +00:00
Andrew Nacin 49bb647dda XML-RPC: Save enclosures with a trailing new line. fixes #23219.
git-svn-id: http://core.svn.wordpress.org/trunk@24623 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-07-10 03:34:35 +00:00
Andrew Nacin b578f36b54 XML-RPC: For wp.getOptions, set readonly to true for writable options that the user does not have permission to edit.
props westi.
fixes #20201.



git-svn-id: http://core.svn.wordpress.org/trunk@24597 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-07-09 02:22:57 +00:00
Andrew Nacin c2db94d10c Use meta caps edit_post, read_post, and delete_post directly, rather than consulting the post type object. map_meta_cap() handles that for us. props markjaquith, kovshenin. fixes #23226.
git-svn-id: http://core.svn.wordpress.org/trunk@24593 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-07-08 20:05:42 +00:00
Andrew Nacin f3e96f0c60 Add strict check in wp_xmlrpc_server::set_custom_fields(). The slash strip ensures these values are the same data type, but it might not be that way forever. props xknown.
git-svn-id: http://core.svn.wordpress.org/trunk@24521 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-06-27 02:46:23 +00:00
Andrew Nacin 96ee267343 Better validation of the URL used in core HTTP requests.
git-svn-id: http://core.svn.wordpress.org/trunk@24480 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-06-21 06:07:47 +00:00
Peter Westwood 34001cb325 XMLRPC: Expose the admin and login urls as read-only options over xml-rpc to make it easier to write rich clients. Fixes #23446 props daniloercoli.
git-svn-id: http://core.svn.wordpress.org/trunk@24382 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-05-29 11:01:32 +00:00
Sergey Biryukov 5679830030 Fix typos in comments. fixes #24337.
git-svn-id: http://core.svn.wordpress.org/trunk@24255 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-05-14 18:22:54 +00:00
Sergey Biryukov 57c10eadbb Use ellipsis instead of three dots. props tjsingleton, jordie23, wojtek.szkutnik, DrewAPicture, SergeyBiryukov. see #8714.
git-svn-id: http://core.svn.wordpress.org/trunk@24207 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-05-08 21:27:31 +00:00
Sergey Biryukov c955859738 Remove \s from regex in pingback_ping() to avoid UTF-8 issues. props tenpura. fixes #24001.
git-svn-id: http://core.svn.wordpress.org/trunk@23952 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-04-10 16:29:00 +00:00
Mark Jaquith acfeb6f20f Take revision control out of the realm of a pure constant. Make it filterable.
* New filter: wp_revisions_to_keep

props ethitter, SergeyBiryukov. fixes #22289.

git-svn-id: http://core.svn.wordpress.org/trunk@23818 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-27 18:11:56 +00:00
Andrew Nacin 799ac18951 XML-RPC: Return an error for getRecentPosts (mw and blogger) if the user does not have edit_posts.
props redsweater.
fixes #22320.



git-svn-id: http://core.svn.wordpress.org/trunk@23636 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-07 06:52:37 +00:00
Ryan Boren 15a06a35ab Use wp_unslash() instead of stripslashes() and stripslashes_deep(). Use wp_slash() instead of add_magic_quotes().
see #WP21767


git-svn-id: http://core.svn.wordpress.org/trunk@23591 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-03 16:30:38 +00:00
Ryan Boren 43a7e695e9 Revert 23416, 23419, 23445 except for wp_reset_vars() changes. We are going a different direction with the slashing cleanup, so resetting to a clean slate. see #21767
git-svn-id: http://core.svn.wordpress.org/trunk@23554 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-01 16:28:40 +00:00
Andrew Nacin 5cd77fdb99 Revert [23359]. The post_author and comment_count post object fields will remain numeric strings for back compat. see #22324.
git-svn-id: http://core.svn.wordpress.org/trunk@23531 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-02-28 19:40:26 +00:00
Ryan Boren cc5ed3a485 Change all core API to expect unslashed rather than slashed arguments.
The exceptions to this are update_post_meta() and add_post_meta() which are often used by plugins in POST handlers and will continue accepting slashed data for now.

Introduce wp_upate_post_meta() and wp_add_post_meta() as unslashed alternatives to update_post_meta() and add_post_meta(). These functions could become methods in WP_Post so don't use them too heavily yet.

Remove all escape() calls from wp_xmlrpc_server. Now that core expects unslashed data this is no longer needed.

Remove addslashes(), addslashes_gpc(), add_magic_quotes() calls on data being prepared for handoff to core functions that until now expected slashed data. Adding slashes in no longer necessary.

Introduce wp_unslash() and use to it remove slashes from GPCS data before using it in core API. Almost every instance of stripslashes() in core should now be wp_unslash(). In the future (a release or three) when GPCS is no longer slashed, wp_unslash() will stop stripping slashes and simply return what is passed. At this point wp_unslash() calls can be removed from core.

Introduce wp_slash() for slashing GPCS data. This will also turn into a noop once GPCS is no longer slashed. wp_slash() should almost never be used. It is mainly of use in unit tests.

Plugins should use wp_unslash() on data being passed to core API.

Plugins should no longer slash data being passed to core. So when you get_post() and then wp_insert_post() the post data from get_post() no longer needs addslashes(). Most plugins were not bothering with this. They will magically start doing the right thing. Unfortunately, those few souls who did it properly will now have to avoid calling addslashes() for 3.6 and newer.

Use wp_kses_post() and wp_kses_data(), which expect unslashed data, instead of wp_filter_post_kses() and wp_filter_kses(), which expect slashed data. Filters are no longer passed slashed data.

Remove many no longer necessary calls to $wpdb->escape() and esc_sql().

In wp_get_referer() and wp_get_original_referer(), return unslashed data.

Remove old stripslashes() calls from WP_Widget::update() handlers. These haven't been necessary since WP_Widget.

Switch several queries over to prepare().

Expect something to break.

Props alexkingorg
see #21767


git-svn-id: http://core.svn.wordpress.org/trunk@23416 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-02-14 22:51:06 +00:00
Sergey Biryukov 1d396b8a1f Merge two different descriptions of siteurl and home options. fixes #22771.
git-svn-id: http://core.svn.wordpress.org/trunk@23363 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-02-01 01:35:37 +00:00
Sergey Biryukov 142f8bbe58 Cast post_author to string in XML-RPC methods. props markoheijnen. fixes #22324.
git-svn-id: http://core.svn.wordpress.org/trunk@23359 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-01-31 01:25:26 +00:00
Andrew Nacin 82e9c40482 Validate pingback source URIs. Less verbose errors.
git-svn-id: http://core.svn.wordpress.org/trunk@23329 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-01-22 22:30:08 +00:00
Andrew Nacin fbf4acf638 Remove XML-RPC's blogger::getTemplate and setTemplate. They are not supported and do nothing.
git-svn-id: http://core.svn.wordpress.org/trunk@22914 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-11-29 02:35:39 +00:00
Andrew Nacin 61caecfa93 Use the create_posts post type cap in more places. Remove the janky create_posts meta cap. see #16714.
git-svn-id: http://core.svn.wordpress.org/trunk@22908 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-11-28 22:28:20 +00:00
Ryan Boren 55dc9d1616 Define array to avoid notice.
Props ericmann
fixes #22479


git-svn-id: http://core.svn.wordpress.org/trunk@22622 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-11-16 22:14:57 +00:00
Peter Westwood fe99b07017 XMLRPC: When Editing an existing post make sure to use wp_update_post instead of wp_insert_post so as to not perform destructive actions on the content.
The wp.EditPost() API will accept very limited data to only edit specific attributes of a post, if you didn't supply a category change then we would previously
overwrite the original categories with the default cat.

Fixes #22220 props nacin.


git-svn-id: http://core.svn.wordpress.org/trunk@22584 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-11-14 22:58:24 +00:00
Mark Jaquith ca7b159cc7 Squash a PHP notice in the XML-RPC server.
git-svn-id: http://core.svn.wordpress.org/trunk@22560 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-11-13 22:35:41 +00:00
Ryan Boren cf596d4979 In wp_xmlrpc_server::_insert_post(), preservea valid post status instead of overwriting it with 'draft'. This preserves the 'inherit' status of attachments. Props markoheijnen. fixes #22335
git-svn-id: http://core.svn.wordpress.org/trunk@22368 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-11-05 14:44:25 +00:00
Ryan Boren 3d4470939d In wp_xmlrpc_server::_insert_post(), don't return an error if set_post_thumbnail() returns false when the attachment ID doesn't change.
Props picklepete
fixes #22204


git-svn-id: http://core.svn.wordpress.org/trunk@22277 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-10-23 14:08:20 +00:00
Andrew Nacin 64a9609aeb Reference xmlrpc.php with the 'rpc' site_url() argument to ensure a proper scheme is applied. see #18731.
git-svn-id: http://core.svn.wordpress.org/trunk@22171 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-10-10 21:55:36 +00:00
Andrew Nacin dfbe93b7a5 Improve pingback text extraction by stopping at a closing block-level tag. props Otto42. see #21914.
git-svn-id: http://core.svn.wordpress.org/trunk@22152 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-10-09 23:56:32 +00:00